You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I request the name of this thread be changed to something less likely to drive away Slackware users. These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.

In fact, I don't see why you don't submit these to Pat V. himself, if you believe they are so important. He might not even see them here.

These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.

These vulnerabilities are outstanding as of 20140113 and have security implications of varying degree. Claiming otherwise, as you've done twice now, is confusing to readers who might inadvertently believe you.

Quote:

Originally Posted by metaschima

In other words, don't let this thread chase you away from Slackware.

Quote:

Originally Posted by metaschima

If corvid posts again (that was his last post), then I'll believe it.

It's clear corvid's comment has given you the jitters. I wish he'd not made it here because as a result the thread is now more noise than signal (BTW, he made a similar comment in January 2012).

But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.

I'm wondering where the other Slackware devs are, and what their comments on these issues are. I request at least that, otherwise this thread doesn't look right, and I don't like that. Slackware is a great distro and I don't like the image it is getting here in this thread. Maybe that wasn't the original intent, but that's what it is now.

But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.

I can see both sides here - but ultimately I agree with mancha because as the user/maintainer of a system running Slackware, I'd rather be aware of the current potential security issues (whatever their severity) and decide what to do about them, whilst I am awaiting an update in the Slackware tree. After all, if I have to rebuild a system that was compromised, that's going to take me a *lot* longer than preparing a patch myself or a short term work-around.

I also recommend that you post more information about each vulnerability instead of just " CVE-2013-4545 fixed.". Post what the fix does and how severe it is. I'm sure you want something that will benefit Slackware, so putting accurate, detailed information is much less likely to scare off users. At least post a link to the page that describes the problem and fix, and rate its severity.

Security of your system is your responsibility, not Master Volkerding's. Seasoned systems administrators are current with the entries in https://isc.sans.edu/diary.html, and probably have read at least a few of the security-related white papers at SANs. In fact, there is enough information on that site to become qualified as a security expert, but if that's your goal, sign up for classes at http://www.sans.edu/ Be proactive.

Note: upgrading xorg-server packages will overwrite proprietary video drivers so if you use those you'll need to re-install them after the upgrade.

Finally, I am providing CVE-2013-6425.ods, a LibreOffice spreadsheet proof-of-concept thanks to Ubuntu, which shows the DoS against X. Make sure you've saved everything you're working on before doing this because it'll crash the X server:

Well, that's more like it. I can see now that you are actually trying to help Slackware users. Providing patches and packages to fix these issues, and even a proof-of-concept is a great thing.

I apologize for doubting your good intentions earlier. May I recommend that you make your intentions more clear in your initial posts by explaining a bit about what you are trying to achieve. Writing a short statement about your concern on outstanding vulnerabilities, links to explanations of the vulnerabilities, saying that you e-mailed Mr. Pat V with them, and saying that you wish to help users resolve these vulnerabilities would do wonders on how people interpret your thread. Like 2 sentences is all it takes, and there won't be any more confusion. Again, I understand now that your intentions are good, but only after this last post.

Lastly, just so people don't get me wrong, I would like to say that Slackware is a great distro, the best I've tried. I would like to help it out as much as I can, and I don't like to see its name tarnished. I reacted the way I did, because the intentions of the thread were unclear to me. Maybe they were clear to others. I guess maybe it is because I'm new here, and I don't know exactly how things are done.

"Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value."

We are already running 0.32.0. The vulnerable version was 0.30.0. BTW, who has the Intel Xorg driver installed? That isn't what Slackware distributed on November 8, 2013. We already have the fixed pixman.h in pixman and xorg. Here's the patch that was applied last October: http://lists.x.org/archives/xorg-dev...er/037996.html

https://cve.mitre.org has re-vamped their website. A lot of legacy incidents appear to be new, but upon further investigation, you'll find they were closed last year.